deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-21 17:57:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

update machine groups and tags

Browse Source
This commit is contained in:
Joey Caparas 2018-04-10 16:01:25 -07:00
parent 5554084371
commit 094f391beb
4 changed files with 61 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-machines-list-view2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 81 KiB

After

Width:  |  Height:  |  Size: 65 KiB

109
windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -73,57 +73,6 @@ If you have enabled the Azure ATP feature and there are alerts related to the ma
**Machine reporting**</br> **Machine reporting**</br>
Provides the last internal IP and external IP of the machine. It also shows when the machine was first and last seen reporting to the service. Provides the last internal IP and external IP of the machine. It also shows when the machine was first and last seen reporting to the service.
## Manage machine group and tags
Machine group and tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic groups creation as part of an incident.
Machine related properties are being extended to account for:
- Group affiliation
- Dynamic context capturing
### Use tags to group machines with similar attributes 
Add tags on machines that have similar attributes, then use the tags to create Machine groups for role based access (RBAC) or filter machines by selecting the Tag filter on the Machines list.
Machine group affiliation can represent geographic location, specific activity, importance level and others. Grouping machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. After creating groups, you can apply the Group filter on the Machines list to get a narrowed list of machines.
Machine group is defined in the following registry key entry of the machine:
- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
- Registry key value (string): Group
### Set standard tags on machines
Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
You can also get to the alert page through the file and IP views.
2. Open the **Actions** menu and select **Manage tags**.
![Image of taking action to manage tags on a machine](images/atp-manage-tags.png)
3. Enter tags on the machine. To add more tags, click the + icon.
4. Click **Save and close**.
![Image of adding tags on a machine](images/atp-save-tag.png)
Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** or **Groups** filter to see the relevant list of machines.
### Manage machine tags
You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel.
![Image of adding tags on a machine](images/atp-tag-management.png)
## Alerts related to this machine ## Alerts related to this machine
The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. You can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click to select multiple alerts). The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. You can also manage alerts from this section by clicking the circle icons to the left of the alert (or using Ctrl or Shift + click to select multiple alerts).
@ -206,6 +155,64 @@ Expand an event to view associated processes related to the event. Click on the
The details pane enriches the in-context information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context. The details pane enriches the in-context information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context.
## Add machine tags
While investigating a machine, you can add tags on machines. Machine tags support proper mapping of the network, enabling you to attach different tags to machines to capture context and to enable dynamic list creation as part of an incident.
You can add tags on machines using the following ways:
- By setting a registry key value
- By using the portal
### Add machine tags by setting a registry key value
Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by selecting the Tag filter on the Machines list.
Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
Use the following registry key entry to add a tag on a machine:
- Registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
- Registry key value (string): Group
### Add machine tags using the portal
Dynamic context capturing is achieved using tags. By tagging machines, you can keep track of individual machines in your organization. After adding tags on machines, you can apply the Tags filter on the Machines list to get a narrowed list of machines with the tag.
1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views:
- **Security operations dashboard** - Select the machine name from the Top machines with active alerts section.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the machine name from the list of machines.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
You can also get to the alert page through the file and IP views.
2. Open the **Actions** menu and select **Manage tags**.
![Image of taking action to manage tags on a machine](images/atp-manage-tags.png)
3. Enter tags on the machine. To add more tags, click the + icon.
4. Click **Save and close**.
![Image of adding tags on a machine](images/atp-save-tag.png)
Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** filter to see the relevant list of machines.
### Manage machine tags
You can manage tags from the Actions button or by selecting a machine from the Machines list and opening the machine details panel.
![Image of adding tags on a machine](images/atp-tag-management.png)
## Use machine groups in an investigation
Machine group affiliation can represent geographic location, specific activity, importance level and others.
You can create machine groups in the context of role-based access (RBAC) to control who can take specific action or who can see information on a specific machine group or groups by assigning the machine group to a user group. For more information, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md).
You can also use machine groups to assign specific remediation levels to apply during automated investigations.
In an investigation, you can filter the Machines list to just specific machine groups by using the Groups filter.
For more information, see [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md).
## Related topics ## Related topics

4
windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md
View File

@ -1,5 +1,5 @@
--- ---
title: Create machine groups in Windows Defender ATP title: Create and manage machine groups in Windows Defender ATP
description: Create machine groups and set automated remediation levels on them by confiring the rules that apply on the group description: Create machine groups and set automated remediation levels on them by confiring the rules that apply on the group
keywords: machine groups, groups, remediation, level, rules, aad group, role, assign, rank keywords: machine groups, groups, remediation, level, rules, aad group, role, assign, rank
search.product: eADQiWindows 10XVcnh search.product: eADQiWindows 10XVcnh
@ -13,7 +13,7 @@ ms.localizationpriority: high
ms.date: 04/16/2018 ms.date: 04/16/2018
--- ---
# Create machine groups in Windows Defender ATP # Create and manage machine groups in Windows Defender ATP
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise

2
windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md
View File

@ -13,7 +13,7 @@ ms.localizationpriority: high
ms.date: 04/16/2018 ms.date: 04/16/2018
--- ---
# Manage portal access using role-based based access control # Manage portal access using role-based access control
**Applies to:** **Applies to:**
- Windows 10 Enterprise - Windows 10 Enterprise